Data Processing Agreement
Summary
A Data Processing Agreement (DPA) is a contract that explains how a processor handles personal data on behalf of a controller, setting out the purpose, scope, security measures, and responsibilities required under GDPR.
Last Updated: 11 Jun 2026
Purpose
HealthPass processes personal data on behalf of the Controller to provide compliance, onboarding, and document‑management services.
Role of the Parties
The Controller decides what data is collected and why. HealthPass acts solely as a Processor and processes data only on the Controller’s documented instructions.
Types of Data
Personal data submitted by the Controller or data subjects, which may include identity information, employment‑related information, compliance documents, onboarding forms, certifications, credentials, and any other information the Controller chooses to process through the service.
Data Subjects
Workers, candidates, employees, contractors, and authorised users of the Controller.
Location of Processing
Data is hosted in the region selected by the Controller (e.g., Australia or the United Kingdom). HealthPass may access data from other regions solely to provide support, as instructed by the Controller.
Security
HealthPass implements appropriate technical and organisational measures, including encryption, access controls, monitoring, and secure hosting.
Sub‑Processors
HealthPass uses vetted sub‑processors (such as hosting and email providers). The Controller is notified of any changes and may object where permitted.
Data Subject Rights
The Controller is responsible for handling data subject requests. HealthPass will assist the Controller as required.
Breach Notification
HealthPass will notify the Controller without undue delay after becoming aware of a personal data breach.
Data Return/Deletion
At the end of the contract, HealthPass will delete or return personal data as instructed by the Controller.
Liability
Each party’s liability is limited as set out in the agreement.
Details
1. Roles of the Parties
The customer (the Controller) determines the purposes and means of processing personal data. HealthPass (the Processor) processes personal data only on the Controller’s documented instructions.
2. Subject Matter, Nature, Purpose, and Duration
HealthPass processes personal data to provide compliance, onboarding, and document‑management services. Processing continues for the duration of the contract and ends when data is returned or deleted at the Controller’s instruction.
3. Types of Personal Data and Data Subjects
Personal data submitted by the Controller or data subjects, which may include identity information, employment‑related information, compliance documents, onboarding forms, certifications, credentials, and any other information the Controller chooses to process. Data subjects may include workers, candidates, employees, contractors, and authorised users.
4. Processor Obligations
HealthPass will:
process data only on the Controller’s instructions
ensure confidentiality
implement appropriate technical and organisational security measures
assist the Controller with data subject rights requests
assist with security, breach notifications, and DPIAs where required
delete or return data at the end of the contract
make information available to demonstrate compliance
5. Controller Obligations
The Controller will:
ensure it has a lawful basis for processing
provide lawful and documented instructions
handle all data subject rights requests
determine retention periods
ensure its use of HealthPass complies with applicable law
6. Security Measures
HealthPass maintains appropriate technical and organisational measures, including encryption, access controls, monitoring, and secure hosting. A detailed description may be provided in a security appendix.
7. Sub‑Processors
HealthPass may use sub‑processors (such as hosting and email providers). HealthPass will maintain a list of sub‑processors and notify the Controller of changes, giving the Controller the opportunity to object where permitted.
7.1 Sub‑processor notification via webpage
HealthPass maintains an up‑to‑date list of sub‑processors here. The Controller is responsible for reviewing this page for updates. Continued use of the service after a sub‑processor change constitutes acceptance of the updated list.
7.2 Opportunity to object
The Controller may object to a new sub‑processor on reasonable grounds relating to data protection. If an objection is raised, the parties will discuss in good faith. If the Controller cannot accept the new sub‑processor, its sole remedy is to terminate the service.
8. International Transfers
Data is hosted in the region selected by the Controller (e.g., Australia or the United Kingdom). Any access from other regions (e.g., for support) occurs only on the Controller’s instructions. The Controller is responsible for ensuring an appropriate transfer mechanism is in place.
9. Data Subject Rights
The Controller is responsible for responding to data subject requests. HealthPass will assist the Controller as required and only act on the Controller’s instructions.
10. Breach Notification
HealthPass will notify the Controller without undue delay after becoming aware of a personal data breach.
11. Data Return or Deletion
The Controller may export its data at any time using the standard functionality of the HealthPass platform. At the end of the contract, HealthPass will delete personal data unless the Controller instructs otherwise and continues to pay for the service.
HealthPass will not retain personal data after contract termination unless the Controller continues the service or enters into a separate paid arrangement for data retention.
Operational logs, audit records, and system‑generated metadata may be retained by HealthPass for security, compliance, and audit purposes for a limited period after contract termination. These logs are not considered Controller data and are not subject to return or export.
12. Audit Rights
The Controller may conduct audits or inspections, subject to reasonable notice and limitations to protect confidentiality and security.
13. Liability
Each party’s liability is limited as set out in the main agreement between the parties.
14. Governing Law
This DPA forms part of the main contract between the parties and is governed by the same law and jurisdiction as that agreement.